Process: Automated Email Investigation - Pending Actions
Microsoft automatically investigates emails that have been reported to them as Malicious. If it finds that it has a high chance of being malicious remediation actions are needed to be actioned, however these remediation actions are not taken unless and MC security operations team approves them. This task needs to be done on a regular basis.
1. Go to 365 Defender (security.microsoft.com)
2. On the Left Panel, Go to Email & Collaboration -> Investigations.
3. Click on Filter on the top right.
a. Change the Time range – Start Date to at least 2 weeks prior.
b. Tick Pending Action and hit Apply.
4. If there are Pending Actions, click on the Investigation.
5. Go to “Pending Actions” on the Top
6. Select the action for more details on the email.
7. You can scroll down and click on “Open in Explorer” to see how more details on the email.
8. After analysing the email using [PHISHING ARTICLE], you can go back to the investigation page, and do either of the following:
a. If PHISHING/MALWARE – Click on Approve to soft delete.
b. If False Positive – Click on Reject
Further Reading:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions?view=o365-worldwide